Cybersecurity is no longer optional in Chile; it's the law. The publication of the Framework Cybersecurity Law (Law No. 21.663) and its initial regulation (Supreme Decree No. 285) marks a fundamental shift for all companies in the country. What used to be a best practice is now an explicit legal obligation, subject to government oversight and a significant sanctions regime.

For boards and senior management, this means cybersecurity has evolved from a technical issue to an unavoidable business responsibility. Ignoring this new regulation is not an option. This guide, aligned with Anguita Osorio's vision, outlines what you need to know to navigate this new regulatory framework and manage the associated risks.

The New Institutional Framework: ANCI and Key Stakeholders

The Cybersecurity Law in Chile establishes a new governance architecture. Understanding the roles is essential.

• National Cybersecurity Agency (ANCI): It acts as the governing, supervisory, and sanctioning body. It will be the main regulatory counterpart.
• National CSIRT: A technical team that coordinates incident response. It serves as the single reporting point for regulated entities.

Who Does the Law Apply To?

Essential Services and Operators of Vital Importance (OIV)

Law 21.663 establishes specific categories of obligated entities. Your organization must determine if it qualifies under one of them.

1. Essential Services (ES)

According to Article 4° of the law, these are public and private entities that develop fundamental activities for the country. If your organization operates in the following sectors, it is subject to the basic obligations of the law

• Electrical generation, transmission or distribution.
• Drinking water supply or sanitation.
• Telecommunications
• Digital infrastructure (e.g. data centers, cloud computing).
• Digital and IT services managed by third parties.
• Transportation and infrastructure.
• Banking, financial services and payment methods.
• Administration of social security benefits.
• Postal and logistics services.
• Public Administration, Judicial Branch and National Congress.
• Production or research of pharmaceutical products.

2. Operators of Vital Importance (OVI)

These are Essential Services (or other entities) that ANCI formally qualifies as 'of vital importance' due to their particular criticality. This qualification implies additional and more demanding obligations. ANCI will make this decision based on criteria such as critical dependence on computer systems and the significant impact that an incident could cause to the nation.

Key Warning: If your company is a provider to an ES or an OVI, expect to be contractually required to comply with these same standards. The new Chilean cybersecurity law has a domino effect throughout the entire value chain.

Essential Duties: Obligations for Every Qualified Entity

Every Organization qualified as an Essential Service must comply with the following fundamental duties

General Duties (Art. 7)

• Apply permanent technical and organizational measures to manage risks.
• Maintain capabilities to Prevent, Report and Resolve incidents.
• Implement the protocols and standards dictated by ANCI.

Specific Duty to Report Incidents (Art. 9)

it is mandatory to notify the National CSIRT of every significant incident, following strict deadlines:

• Early Warning: Within 3 hours following awareness.
• Update Report: Within 72 hours following the alert.
• Final Report: Within 15 business days following the alert.

Reinforced Requirements: Additional Obligations for OVI (Art. 8)

If your company is qualified as an OVI, it must satisfy more rigorous obligations. The board of directors' responsibility in supervising these matters is even greater.

• Implement ISMS: A robust and continuous Information Security Management System is required, such as one based on the ISO 27001 standard.
• Continuity and Cybersecurity Plans: Develop, implement and formally certify these plans.
• Continuous Operations: Conduct and communicate to the National CSIRT the results of exercises, reviews and drills.
• Immediate Measures: Adopt rapid actions to mitigate the impact and spread of an incident.
• Continuous Training: Implement training and cyber hygiene programs for all personnel.
• Designate a Cybersecurity Delegate: Formally appoint a technical liaison with ANCI. This role is key and requires a combination of technical and strategic knowledge, the profile of a cybersecurity engineer or an expert in GRC.

ANCI's Perspective: Oversight, Sanctioning Power and Risks

ANCI has broad powers to ensure compliance (Art. 11). It can:

• Oversee compliance with the law.
• Order audits of obligated entities.
• Request detailed information about their operations.
• Access facilities and systems (with proper legal safeguards).

The Chilean cybersecurity law sanctions (Art. 40) are severe and translate risk into concrete figures, especially for OVIs:

• Serious Infractions: Fines of up to 20,000 UTM (approximately USD 1.5 million).
• Very Serious Infractions: Fines of up to 40,000 UTM (nearly USD 3 million).

ANCI will determine the fine considering factors such as damage caused, benefit obtained, intentionality and recidivism. This is in addition to the risks of severe reputational impact and high defense and remediation costs.

Immediate Steps: How to Begin the Path to Compliance?

The cybersecurity law is already in effect and its first formal instructions are being published. Waiting is not a strategy. Here are practical steps your company must take right now, starting with the most urgent.

1. Immediate Action: Register the Cybersecurity 'Officer' with ANCI

This is no longer a future obligation; it is a present requirement. ANCI's General Instruction No. 1, published in the Official Gazette, requires all institutions providing Essential Services to register a 'Cybersecurity Incident Reporting Officer' on the Agency's official platform.

This is the first formal step of interaction with the new regulator, and failing to comply is considered a minor infraction of the law.

Key Requirements for the Officer and Process:

• The Central Requirement: Your company must designate and formally register the person (or persons, including a principal and substitutes) who will act as the technical counterpart before ANCI. This person will be responsible for managing incident reports.
• Officer Profile: The instruction is clear that the designated person must have 'technical or professional training or experience in cybersecurity'. It cannot be a merely administrative role; they must have the ability to maintain a fluid and technical relationship with the National CSIRT.
• Registration and Legal Accreditation Process: Registration is done on the portal 'portal.anci.gob.cl' using the Unique Key and a second authentication factor. However, the most critical step is the legal one:
• A document signed with advanced electronic signature by the company's legal representative must be attached, formally accrediting the appointment of the Officer.
• Additionally, documents accrediting the powers of said legal representative must be included.
• This is not a simple administrative procedure; it is a formal legal act that establishes your company's relationship with the regulator.

2. Conduct a Diagnosis or 'Gap Analysis

Once registration is completed, the next step is to understand your current status regarding the law's other obligations. Where are the gaps between your current practices and the requirements for an ISMS, continuity plans or reporting protocols? This analysis is the foundation of any Chilean compliance strategy.

3. Define Internal Responsibilities (Board Level)

Cybersecurity must be a standing item on the board agenda. A committee or director responsible for overseeing the implementation of the GRC (Governance, Risk & Compliance) program and reporting on its progress must be designated.

4. Seek Expert Advisory to Create a Roadmap

Navigating the technical and legal details of this regulation requires specialized knowledge. In our experience advising leading companies, the first obstacle is translating the law into a concrete and prioritized action plan. Having expert advisory on cybersecurity law is not a cost, it is an investment in risk mitigation.

Conclusion: An Obligation that is Also an Opportunity

The cybersecurity framework law is a challenge, but also an opportunity to build a more resilient, secure and reliable organization. Addressing compliance proactively is protecting your business value.

Don't wait until it's too late. Our team of lawyers expert in cybersecurity and corporate law can help you navigate this new regulation and transform compliance into a strength for your business. Schedule an initial consultation today.

This article constitutes general information and does not replace personalized legal advice for your particular case.